DroopyCTF Walkthrough

Preparation:

Download the DroopyCTF virtual machine from the following website:

https://www.vulnhub.com/entry/droopy-v02,143/

1. Scan the network to find the IP address of the DroopyCTF server.

netdiscover -r 10.0.0.0/

2. Scan the DroopyCTF server using Nmap to find some potential vulnerabilities.

TCP Scan 1:

nmap -Pn -sS --stats-every 3m --max-retries  --max-scan-delay  --defeat-rst-ratelimit -T4 -p1- -oN /root/Delete/tcp1.txt 10.0.0.30

TCP Scan 2:

nmap -nvv -Pn- -sSV -p  --version-intensity  -A -oN /root/Delete/tcp2.txt 10.0.0.30

UDP Scan:

map -Pn --top-ports  -sU --stats-every 3m --max-retries  -T3 -oN /root/Delete/udp.txt 10.0.0.30

3. Browse the website(http://10.0.0.30/) through Firefox. Nothing valuable find in the source page.

Browse the website(http://10.0.0.30/robots.txt) through Firefox.

Browse the website(http://10.0.0.30/CHANGELOG.txt) through Firefox and try to find some vulnerabilities.

Try to find some exploit guider related to Drupal 7.0 in the Exploit Database. Download the exploit code

https://www.exploit-db.com/exploits/34992

We can also find some exploit titles on Kali Linux locally.

searchsploit drupal

We can also try to search for exploit modules related to drupal in Metasploit.

search drupal

4. Let's try to exploit the target server with Metasploit.

Use the exploit/multi/http/drupal_drupageddon module and show the information. It should be work.

Set the parameters and start to exploit. We have the shell.

Find the information of droopy server.

Try to find some exploit guider related to Linux Kernel 3.13.0 in the Exploit Database. Download the exploit code.

https://www.exploit-db.com/exploits/37292

Copy the code to the /var/www/html folder on Kali Linux, then download to the Droopy server.

Try to search the tty shell escapte cheat sheet on the Internet. https://netsec.ws/?p=337

python -c 'import pty; pty.spawn("/bin/sh")'

5. Download the exploit source code to /tmp folder on Droopy server. Compile and execute the exploit file.

Get the root privilege successfully.

OSCP Learning Notes - Capstone(3)的更多相关文章

  1. OSCP Learning Notes - Capstone(4)

    SickOS 1.2 Walkthrough Preparation: Down load the SickOS virtual machines from the following website ...

  2. OSCP Learning Notes - Capstone(2)

    BTRSys v2.1 Walkthrough Preparation: Download the BTRSys virtual machine from the following website: ...

  3. OSCP Learning Notes - Capstone(1)

    Kioptrix Level 1.1 Walkthrough Preparation: Download the virtual machine  from the following website ...

  4. OSCP Learning Notes - Overview

    Prerequisites: Knowledge of scripting languages(Bash/Pyhon) Understanding of basic networking concep ...

  5. OSCP Learning Notes - Buffer Overflows(3)

    Finding Bad Characters 1. Find the bad charaters in the following website: https://bulbsecurity.com/ ...

  6. OSCP Learning Notes - Buffer Overflows(2)

    Finding the Offset 1. Use the Metasploite pattern_create.rb tool to create 5900 characters. /usr/sha ...

  7. OSCP Learning Notes - Buffer Overflows(1)

    Introduction to Buffer Overflows Anatomy of Memory Anatomy of the Stack Fuzzing Tools: Vulnserver -  ...

  8. OSCP Learning Notes - Netcat

    Introduction to Netcat Connecting va Listening Bind Shells Attacker connects to victim on listening ...

  9. OSCP Learning Notes - Enumeration(4)

    DNS Enumeration 1. Host Tool host is a simple utility for performing DNS lookups. It is normally use ...

随机推荐

  1. 《Java并发编程的艺术》第4章 Java并发编程基础 ——学习笔记

    参考https://www.cnblogs.com/lilinzhiyu/p/8086235.html 4.1 线程简介 进程:操作系统在运行一个程序时,会为其创建一个进程. 线程:是进程的一个执行单 ...

  2. JAVA设计模式 1 设计模式介绍、单例模式的理解与使用

    数据结构我们已经学了一部分了.是该了解了解设计模式了.习惯了CRUD的你,也该了解了解这一门神器.我为啥要说是神器呢? 因为在大厂的面试环节.以及很多的比如 Springboot Mybatis 等开 ...

  3. docker镜像瘦身思路

    docker镜像瘦身思路 一.简介 docker镜像太大,带来了以下几个问题: 存储开销 这块影响其实不算很大,因为对服务器磁盘来说,15GB的存储空间并不算大,除非用户服务器的磁盘空间很紧张 部署时 ...

  4. Java中的final关键字解析

    一.final关键字的基本用法 1.修饰类   当用final修饰一个类时,表明这个类不能被继承.注意: final类中的成员变量可以根据需要设为final, final类中的所有成员方法都会被隐式地 ...

  5. redis高级命令1

    设置name的过期时间是20秒 redis默认是16个数据库,默认是将数据存储在第0个数据库中 因为默认是0,当你选择其他数据的时候,是没有值的

  6. 安全测试中session和cookie

    很多朋友做过安全测试应该都知道session和cookies他们的不同点: 1.存取方式不同.----cookie不支持中文,需要编码,仅支持ascll值.session能够存取任何类型的数据,包括j ...

  7. EDM邮件制作

    EDM营销(Email Direct Marketing)也叫:Email营销.电子邮件营销.是指企业向目标客户发送EDM邮件,建立同目标顾客的沟通渠道,向其直接传达相关信息,用来促进销售的一种营销手 ...

  8. python+opencv切割细胞及细胞团(持续更新)

    内容包括:游离细胞的切割,有效细胞的信息提取,找出非正常细胞,细胞团的切割,找出非正常细胞团 代码较多,请移步到我的github

  9. MFC--自己优化滚动条的双缓冲绘图方法

        2010-01-09 18:45 MFC--自己优化的双缓冲绘图方法 自己通过尝试,用修改视图坐标的方法, 优化了双缓冲绘图,实现起来并不复杂. 在介绍这个方法前,重新介绍一下窗口和视口的概念 ...

  10. eclipse在debug模式下鼠标移动到变量上不显示值的问题

    在eclipse中调试时,鼠标移动到变量上不显示值,使用ctrl+shift+i,或者通过配置达到目的: Window->Preferences->Java->Editor-> ...